Application Security This Week for November 25

A new open source project that generated an Android Studio project from an APK

https://maxkersten.nl/2018/11/21/androidprojectcreator-the-how-and-why/

 

Robert Graham has some thoughts on HTTP/3

https://blog.erratasec.com/2018/11/some-notes-about-http3.html?m=0

 

NEWS FLASH!  There is a security hole in Adobe Flash.

https://www.theregister.co.uk/2018/11/20/adobe_flash_bug/

 

Remember when I said there would never be a reliable exploit for the Rowhammer vulnerability?  I was wrong.

https://www.wired.com/story/rowhammer-ecc-memory-data-hack

 

Mr. Krebs was alerted to a vulnerability at USPS that an exasperated researcher had been trying to get them to fix for a year.

https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/

 

Late addition: PortSwigger posted the Top 10 Web Application Security research for the last couple of years.

https://portswigger.net/blog/top-10-web-hacking-techniques-of-2017

 

And that's the news!!

 

Application Security This Week for November 18

Here's a new set of training wheels for MetaSploit.  It's a little bumpy, but it is pretty decent as an intro to using scripting tools for exploitative pentesting.

https://github.com/M4cs/BabySploit/blob/master/README.md

 

A really good analysis of some PHP malware.  Beneficial reading for red and blue teams. As usual, please be careful playing with malware on your corporate network (or any other network).

https://blog.manchestergreyhats.co.uk/2018/11/07/php-malware-examination/

 

A new XSS detection tool with some nice hand-written parsers.

https://github.com/s0md3v/XSStrike

 

And that's the news!

Application Security This Week for November 11

Happy Veterans Day. Please make sure that this isn't the only day of the year that you take the time to do something for a veteran in your life.

 

The OWASP Top 10 project has added the Serverless Application Top 10 to the collection.

https://github.com/OWASP/Serverless-Top-10-Project/

 

Here's a good analysis of a live example of an Android banking trojan.

https://lukasstefanko.com/2018/11/video-analysis-of-android-banking-trojan-found-on-google-play.html

 

A malicious FaceTime caller can cause a kernal panic in some devices.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1641

 

Squally is a purposefully vulnerable video game to teach hacking of games.  Neat idea.

https://squallygame.com/

 

Struts has yet another RCE bug.

https://www.theregister.co.uk/2018/11/07/flaw_in_apache_struts/

 

There is a XSS bug in Evernote!

https://securityaffairs.co/wordpress/77789/hacking/evernote-xss-flaw.html

 

And that's the news.

Application Security This Week for November 4

A new-to-me file upload vulnerability scanner got an update recently - worth a look.

https://github.com/almandin/fuxploider

 

Not a very USEFUL vulnerability, but someone figured out how to bypass Chrome's security model for cookies.

https://mango.pdf.zone/stealing-chrome-cookies-without-a-password

 

Telerik (a developer tools company) has a good post on XSS and Content Security Policy.

https://www.telerik.com/blogs/on-cross-site-scripting-and-content-security-policy

 

And that's the news!

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList